Privacy flaws can reveal users’ identities, locations, and digital files

can make this attack even when Bob is not on her contact list or even when Bob explicitly configures Skype to block calls from non-contacts. By repeating the process on, say, an hourly basis, Alice can track the locations and movements of any Skype user over weeks or months, without the user having any idea that he is being tracked.

To demonstrate the potential severity of these security vulnerabilities, the researchers tracked the Skype accounts of about twenty volunteers as well as 10,000 random users over a two-week period, using techniques that neither harmed nor disrupted the service, utilized any requests for which the service was not designed nor interfered with users.

All data were anonymized for user safety. Skype and Microsoft Corp. were informed of the researchers’ findings.

The researchers used commercial geo-location mapping services and found that they could construct a detailed account of a user’s daily activities even if the user had not turned on Skype for seventy-two hours. In one example, they accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France. “If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” the authors said.

They calculated it would cost a marketer who wanted to create a database only $500 per week to track 10,000 users — and perhaps less, since they did not delve deeply into optimization.

In another experiment, they queried the 50,000 most popular downloads on BitTorrent, a popular P2P file-sharing system. Because it enables sharing of large files, it is a favorite of digital pirates. When a common IP address was found on both Skype and BitTorrent, the researchers were able to determine the files that identified individuals downloaded or shared. They noted that the same information could be obtained from other P2P applications, such as eMule or Xunlei.

A fairly straightforward and inexpensive fix would prevent hackers from taking the critical first step in this security breach - that of obtaining users’ IP addresses through inconspicuous calling. The researchers say that redesigning the Skype protocol so that a user’s IP address is never revealed unless the call is accepted would offer substantially greater privacy.

Skype claims it has more than a half-billion registered users and a monthly average of 170 million active ones who use its application for phoning, texting, instant messaging and video conferencing. By one report, one in five overseas calls is made via Skype. One study found BitTorrent may account for a quarter to more than a half of all Internet traffic.

While Skype was the only service tested in this study, the researchers claim that some of the security issues are fundamental to all real-time P2P communication systems, and that the proposed defenses may offer guidelines for enhancing privacy of other popular applications.